AzRoleAdvertizer

last sync: 2024-Nov-25 18:54:42 UTC

Defender for Storage Scanner Operator

Azure BuiltIn RBAC Role definition

Name

Defender for Storage Scanner Operator

0f641de8-0b88-4198-bdef-bd8b45ceba96

Description

Lets you enable and configure Microsoft Defender for Storage's malware scanning and sensitive data discovery features on your storage accounts. Includes an ABAC condition to limit role assignments.

CreatedOn

2023-11-10 10:31:03 UTC

UpdatedOn

2024-06-28 20:57:41 UTC

History

Date/Time (UTC ymd) (i)	Change	Change detail
2024-07-01 18:19:32	change: Actions	Actions: 'add Microsoft.Security/advancedThreatProtectionSettings/read; add Microsoft.Security/advancedThreatProtectionSettings/write; add Microsoft.Security/datascanners/read; add Microsoft.Security/datascanners/write; add Microsoft.Security/dataScanners/delete'
2024-04-30 17:48:19	add: Role	0f641de8-0b88-4198-bdef-bd8b45ceba96

Permissions summary

Effective control plane and data plane operations: 64 (unique operations)
•action: 7
•delete: 4
•read: 45
•write: 8

Actions: 22
Resolved control plane operations from Actions: 64
Effective control plane operations: 64
•action: 7
•delete: 4
•read: 45
•write: 8

NotActions: 0
Resolved control plane operations from NotActions: 0
Effective denied control plane operations: 16108

DataActions: 0
Resolved data plane operations: 0
Effective data plane operations: 0

NotDataActions: 0
Resolved data plane operations from NotDataActions: 0
Effective denied data plane operations: 3303

Actions

Operation	Description
Microsoft.Authorization/*/read	wildcarded / no description
Microsoft.Authorization/roleAssignments/delete conditioned	Delete a role assignment at the specified scope.
Microsoft.Authorization/roleAssignments/write conditioned	Create a role assignment at the specified scope.
Microsoft.EventGrid/eventSubscriptions/delete	Delete a eventSubscription
Microsoft.EventGrid/eventSubscriptions/read	Read a eventSubscription
Microsoft.EventGrid/eventSubscriptions/write	Create or update a eventSubscription
Microsoft.EventGrid/topics/read	Read a topic
Microsoft.Management/managementGroups/read	List management groups for the authenticated user.
Microsoft.Resources/deployments/*	wildcarded / no description
Microsoft.Resources/deployments/*	wildcarded / no description
Microsoft.Resources/subscriptions/read	Ruft die Liste der Abonnements ab.
Microsoft.Resources/subscriptions/resourceGroups/read	Ruft Ressourcengruppen ab oder listet diese auf.
Microsoft.Security/advancedThreatProtectionSettings/read	Gets the Advanced Threat Protection Settings for the resource
Microsoft.Security/advancedThreatProtectionSettings/write	Updates the Advanced Threat Protection Settings for the resource
Microsoft.Security/dataScanners/delete	Deletes the datascanners for the scope
Microsoft.Security/datascanners/read	Gets the datascanners for the scope
Microsoft.Security/datascanners/write	Creates or updates the datascanners for the scope
Microsoft.Security/defenderforstoragesettings/read	Gets the defenderforstoragesettings for the scope
Microsoft.Security/defenderforstoragesettings/write	Creates or updates the defenderforstoragesettings for the scope
Microsoft.Storage/storageAccounts/read	Returns the list of storage accounts or gets the properties for the specified storage account.
Microsoft.Storage/storageAccounts/write	Creates a storage account with the specified parameters or update the properties or tags or adds custom domain for the specified storage account.
Microsoft.Support/*	wildcarded / no description

NotActions

n/a

DataActions

n/a

NotDataActions

n/a

Used in
BuiltIn Policy

none

JSON

api-version=2023-07-01-preview

Condition

    (
        (
            !
            (
                ActionMatches {
                'Microsoft.Authorization/roleAssignments/write'
                }
            )
        )
        OR
        (
            @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {
            1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40 (Defender for Storage Data Scanner),
            d5a91429-5739-47e2-a06b-3470a27159e7 (EventGrid Data Sender)
            }
        )
    )
    AND
    (
        (
            !
            (
                ActionMatches {
                'Microsoft.Authorization/roleAssignments/delete'
                }
            )
        )
        OR
        (
            @Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {
            1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40 (Defender for Storage Data Scanner),
            d5a91429-5739-47e2-a06b-3470a27159e7 (EventGrid Data Sender)
            }
        )
    )